Index: verify.pod =================================================================== RCS file: /usr/local/google/home/palmer/openssl/cvs/openssl/doc/apps/verify.pod,v retrieving revision 1.10 diff -u -r1.10 verify.pod --- verify.pod 23 Feb 2010 14:09:09 -0000 1.10 +++ verify.pod 6 Dec 2012 19:35:11 -0000 @@ -40,11 +40,12 @@ =item B<-CApath directory> -A directory of trusted certificates. The certificates should have names -of the form: hash.0 or have symbolic links to them of this -form ("hash" is the hashed certificate subject name: see the B<-hash> option -of the B utility). Under Unix the B script will automatically -create symbolic links to a directory of certificates. +A directory of trusted certificates. The certificates should have names of +the form: hash.0 or have symbolic links to them of this form ("hash" is the +hashed certificate subject name: see the B<-hash> option of the B +utility). Under Unix the B script will automatically create +symbolic links to a directory of certificates. If this option is +unspecified, the platform's default CA path will be used. =item B<-CAfile file> @@ -187,10 +188,11 @@ certificate signing. The lookup first looks in the list of untrusted certificates and if no match -is found the remaining lookups are from the trusted certificates. The root CA -is always looked up in the trusted certificate list: if the certificate to -verify is a root certificate then an exact match must be found in the trusted -list. +is found the remaining lookups are from the trusted certificates. (Note that +unless the B<-CApath> option is specified, the platform's default CA path +will be used.) The root CA is always looked up in the trusted certificate +list: if the certificate to verify is a root certificate then an exact match +must be found in the trusted list. The second operation is to check every untrusted certificate's extensions for consistency with the supplied purpose. If the B<-purpose> option is not included